← Back

Hyland

hyland

29 CVEs • 10 products

Products (10)

Click to collapse
Toggle
Onbase
onbase
15 CVEs
Perceptive Document Filters
perceptive_document_filters
4 CVEs
Alfresco Content Services
alfresco_content_services
3 CVEs
Alfresco Transform Service
alfresco_transform_service
3 CVEs
Alfresco Transform Core
alfresco_transform_core
3 CVEs
Saperion Web Client
saperion_web_client
2 CVEs
Alfresco Transformation Service
alfresco_transformation_service
2 CVEs
Transform Core Aio
transform_core_aio
2 CVEs
Perceptive Content Server
perceptive_content_server
1 CVE
Nuxeo
nuxeo
1 CVE

CVEs (29)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2026-26339
1Hyland
4Alfresco Transform Core
Alfresco Transform ServiceAlfresco Transformation Service+1 more
Mar 2, 2026
Feb 19, 2026
9.3 CRITICAL· v4
9.8 CRITICAL· v3
N/A· v2
Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve remote code execution through the argument injection vulnerability, which exists in the document processing functionality.
CVE-2026-26338
1Hyland
4Alfresco Transform Core
Alfresco Transform ServiceAlfresco Transformation Service+1 more
Mar 2, 2026
Feb 19, 2026
6.9 MEDIUM· v4
9.8 CRITICAL· v3
N/A· v2
Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve server-side request forgery (SSRF) through the document processing functionality.
CVE-2026-26337
1Hyland
2Alfresco Transform Core
Alfresco Transform Service
Mar 2, 2026
Feb 19, 2026
8.8 HIGH· v4
8.2 HIGH· v3
N/A· v2
Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve both arbitrary file read and server-side request forgery through the absolute path traversal.
CVE-2026-26336
1Hyland
1Alfresco Content Services
Mar 3, 2026
Feb 19, 2026
8.7 HIGH· v4
7.5 HIGH· v3
N/A· v2
Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files...Show more
Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files.Show less
CVE-2024-40347
1Hyland
1Alfresco Content Services
Mar 18, 2025
Jul 20, 2024
N/A· v4
6.1 MEDIUM· v3
N/A· v2
A reflected cross-site scripting (XSS) vulnerability in Hyland Alfresco Platform 23.2.1-r96 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the parameter...Show more
A reflected cross-site scripting (XSS) vulnerability in Hyland Alfresco Platform 23.2.1-r96 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the parameter htmlid.Show less
CVE-2023-49964
1Hyland
1Alfresco Content Services
Nov 21, 2024
Dec 11, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
An issue was discovered in Hyland Alfresco Community Edition through 7.2.0. By inserting malicious content in the folder.get.html.ftl file, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can...Show more
An issue was discovered in Hyland Alfresco Community Edition through 7.2.0. By inserting malicious content in the folder.get.html.ftl file, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and achieve RCE (Remote Code Execution). NOTE: this issue exists because of an incomplete fix for CVE-2020-12873.Show less
CVE-2021-32828
1Hyland
1Nuxeo
Nov 21, 2024
Jan 5, 2023
N/A· v4
6.1 MEDIUM· v3
N/A· v2
The Nuxeo Platform is an open source content management platform for building business applications. In version 11.5.109, the `oauth2` REST API is vulnerable to Reflected Cross-Site Scripting (XSS). This XSS can be escal...Show more
The Nuxeo Platform is an open source content management platform for building business applications. In version 11.5.109, the `oauth2` REST API is vulnerable to Reflected Cross-Site Scripting (XSS). This XSS can be escalated to Remote Code Execution (RCE) by levering the automation API.Show less
CVE-2022-23342
1Hyland
1Onbase
Nov 21, 2024
Jun 21, 2022
N/A· v4
5.3 MEDIUM· v3
5.0 MEDIUM· v2
The Hyland Onbase Application Server releases prior to 20.3.58.1000 and OnBase releases 21.1.1.1000 through 21.1.15.1000 are vulnerable to a username enumeration vulnerability. An attacker can obtain valid users based on...Show more
The Hyland Onbase Application Server releases prior to 20.3.58.1000 and OnBase releases 21.1.1.1000 through 21.1.15.1000 are vulnerable to a username enumeration vulnerability. An attacker can obtain valid users based on the response returned for invalid and valid users by sending a POST login request to the /mobilebroker/ServiceToBroker.svc/Json/Connect endpoint. This can lead to user enumeration against the underlying Active Directory integrated systems.Show less
CVE-2020-25260
1Hyland
1Onbase
Nov 21, 2024
Sep 11, 2020
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows remote attackers to execute arbitrary code because of...Show more
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows remote attackers to execute arbitrary code because of unsafe JSON deserialization.Show less
CVE-2020-25259
1Hyland
1Onbase
Nov 21, 2024
Sep 11, 2020
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It uses XML deserialization libraries in an unsafe manner.
CVE-2020-25258
1Hyland
1Onbase
Nov 21, 2024
Sep 11, 2020
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It uses ASP.NET BinaryFormatter.Deserialize in a manner that all...Show more
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It uses ASP.NET BinaryFormatter.Deserialize in a manner that allows attackers to transmit and execute bytecode in SOAP messages.Show less
CVE-2020-25257
1Hyland
1Onbase
Nov 21, 2024
Sep 11, 2020
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows XXE attacks for read/write access to arbitrary files.
CVE-2020-25256
1Hyland
1Onbase
Nov 21, 2024
Sep 11, 2020
N/A· v4
9.1 CRITICAL· v3
6.4 MEDIUM· v2
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. PKI certificates have a private key that is the same across diff...Show more
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. PKI certificates have a private key that is the same across different customers' installations.Show less
CVE-2020-25255
1Hyland
1Onbase
Nov 21, 2024
Sep 11, 2020
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows remote attackers to cause a denial of service (outage...Show more
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows remote attackers to cause a denial of service (outage of connection-request processing) via a long user ID, which triggers an exception and a large log entry.Show less
CVE-2020-25254
1Hyland
1Onbase
Nov 21, 2024
Sep 11, 2020
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows SQL injection, as demonstrated by TestConnection_Local...Show more
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows SQL injection, as demonstrated by TestConnection_LocalOrLinkedServer, CreateFilterFriendlyView, or AddWorkViewLinkedServer.Show less
CVE-2020-25253
1Hyland
1Onbase
Nov 21, 2024
Sep 11, 2020
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows SQL injection, as demonstrated by the TableName, Colum...Show more
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows SQL injection, as demonstrated by the TableName, ColumnName, Name, UserId, or Password parameter.Show less
CVE-2020-25252
1Hyland
1Onbase
Nov 21, 2024
Sep 11, 2020
N/A· v4
8.8 HIGH· v3
6.8 MEDIUM· v2
An issue was discovered in Hyland OnBase through 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. CSRF can be used to log in a user, and then perform acti...Show more
An issue was discovered in Hyland OnBase through 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. CSRF can be used to log in a user, and then perform actions, because there are default credentials (the wstinol password for the manager or hsi account).Show less
CVE-2020-25251
1Hyland
1Onbase
Nov 21, 2024
Sep 11, 2020
N/A· v4
9.1 CRITICAL· v3
6.4 MEDIUM· v2
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Client-side authentication is used for critical functions such a...Show more
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Client-side authentication is used for critical functions such as adding users or retrieving sensitive information.Show less
CVE-2020-25250
1Hyland
1Onbase
Nov 21, 2024
Sep 11, 2020
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Client applications can write arbitrary data to the server logs.
CVE-2020-25249
1Hyland
1Onbase
Nov 21, 2024
Sep 11, 2020
N/A· v4
5.3 MEDIUM· v3
5.0 MEDIUM· v2
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. The server typically logs activity only when a client applicatio...Show more
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. The server typically logs activity only when a client application specifies that logging is desired. This can be problematic for use cases in a regulated industry, where server-side logging is required in additional situations.Show less